Sign up for the MACH newsletter

You have been successfully added to our newsletter.

A daily newsletter charting the future: From technology to the scientific breakthroughs changing our lives.

Sponsored by

Cyber Threats Are 'Mind Blowing,' Crooks Getting Smarter: Report

Share this —

Mach

Cyber Threats Are 'Mind Blowing,' Crooks Getting Smarter: Report

by Herb Weisbaum / Apr.12.2016 / 12:54 AM ET

Get the Mach newsletter.

The technology you use is being targeted, every hour of every day.

These digital attacks are growing in number and sophistication, according to the Internet Security Threat Report released by the cyber security company Symantec on Tuesday. The data lost, the money stolen and the disruption caused by cybercriminals is worse than ever.

“We see a higher level of professionalization among these attackers, and not just nation states where you expect that sort of thing, but even with the common cybercriminals,” said Kevin Haley, director of Symantec Security Response.

Cybercrime is now such a part of everyday life that we’re no longer shocked by the staggering numbers being reported. For example, Symantec discovered more than 430 million new and unique pieces of malware in 2015, up 36 percent from the year before.

“That’s really a mind-blowing number,” Haley told NBC News. “In 2009, we had about two million pieces of malware and at the time we thought that was pretty overwhelming, and now we’re talking about more than 430 million. It’s more than a million new pieces of malware getting written each and every day.”

Zero-day vulnerabilities a growing threat

Criminals are getting better at finding and using so-called “zero-day” vulnerabilities — previously unknown flaws in browsers and website plugins that leave home and business computers open to attack. Hundreds of thousands of systems can be infected before the vulnerability is discovered and patched.

The number of zero-day vulnerabilities discovered last year more than doubled to 54, up 125 percent.

Professional crime rings try to find and exploit the vulnerabilities in popular software, such as Internet Explorer and Adobe Flash, because so many people use these programs every day. Symantec found that four of the five most exploited zero-day vulnerabilities last year were with Adobe Flash.

In a statement to NBC News, Adobe said it takes the security of its products and customers very seriously. The majority of these attacks exploit software that has not been updated with the latest security patches, the company said in its email.

“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are continuously working to improve Flash Player security as the threat landscape evolves, and when issues arise, we work to quickly resolve them. With regards to zero-days, we’ve been able to expedite the patching process to just days,” Adobe wrote.

This is why it’s important to have your computer set to automatically receive and install updates. Until those patches are in place, your system is vulnerable.

Even well-known sites can be dangerous

It’s easy to assume that you’re safe from online crime if you stick to well-known websites. But that’s not the case. You don’t have to go to some “bad part” of the web to get infected.

Cybercrooks are taking advantage of flaws in legitimate websites to spread their malicious software.

“They can get in to that site and plant their malware,” Haley explained. “So when you show up at a site you trust, they’re able to load their malware onto your machine and you won’t even know it happened to you.”

The report points the finger at website administrators who fail to secure their sites. Symantec estimates that more than 75 percent of all legitimate websites have unpatched vulnerabilities. Fifteen percent have what the report called “critical” flaws that allow cybercriminals to gain access and manipulate the site with very little effort.

Ransomware attacks increase and expand to new targets

Criminals go where the money is and they’re making a bundle from ransomware that extorts payment from their victims.

Ransomware is a form a malware that encrypts all the data on a computer or network system. In order to get the key to unlock those files, you need to pay a ransom — typically $300 to $500 per machine. Payment is usually done in Bitcoins, the digital currency that’s virtually impossible for law enforcement to trace.

If the crooks can compromise a business, one that hasn’t been good about backing up its files, the payday can be tens of thousands of dollars. That’s why businesses are now prime targets.

This encryption-style ransomware grew 35 percent in 2015, Symantec reported. And the crooks moved beyond PCs to encrypt smartphones, Mac and Linux systems. Because this crime is so lucrative, ransomware attacks are expected to grow dramatically this year.

Computer systems big and small at risk

Criminal hackers don’t give up when their attack is unsuccessful. Symantec’s analysis of the data shows that if criminals really want to get into a computer system at a government organization or financial company, they’ll try at least three more times during the year.

“These guys don’t give up easily,” Haley said. “You may feel good if you repelled one attack, but don’t spend too much time feeling satisfied with yourself, because there’s probably three more coming.”

Big computer systems make an appealing target, but the report warns that all businesses are potentially vulnerable. In fact, businesses with less than 250 employees are more at risk than ever. Last year, 43 percent of all cyberattacks targeted these small companies.

Many companies avoid full disclosure

Personal records are being compromised at an alarming rate. There are now so many breaches, most never make the news.

Nine mega-breaches (more than 10 million records stolen) were reported last year.

The total number of identities exposed from all intrusions jumped 23 percent to 429 million. But Symantec believes the true number is much higher — more than a half billion.

Symantec found that “more and more companies chose not to reveal the full extent of the breaches they experienced.” The report calls this “a disturbing trend” that jeopardizes everyone.

“You can understand it would be embarrassing to a company that somebody broke in and took off with all the records of their customers, so there’s a tendency to try to make it sound better than it was or hide how bad it was,” Haley said. “And that’s really a shame because transparency allows all of us to understand the problem so we can defend ourselves better.”

Mobile devices are vulnerable, too

Whether you realize it or not, your smartphone is vulnerable to all the malicious things a criminal can do to your desktop or laptop. Malware inserted into apps or downloaded directly can steal your contacts, passwords and PIN codes. Ransomware that locks a smartphone has already been deployed.

Up until now, threats to iPhones and iPads have been infrequent and limited. This changed in 2015, the report noted, with new threats to Apple’s operating system and thousands of infected iOS apps.

02:12

Symantec predicts that mobile threats will continue to proliferate in 2016, and that security researchers, operating system developers and app writers are already taking note and paying more attention to mobile security.

“Although we expect mobile devices to come under growing attack over the next year, there is also hope that with the right preventative measures and continuing investment in security, users can achieve a high level of protection,” the report concluded.

Despite this gloomy reality check, there are things you can and should do to protect yourself whenever or however you go online. The National Cyber Security Alliance has an extensive library of resources at its StaySafeOnline.org website.